The credit crunch is beginning to bite hard – so much so that we’re finally starting to refer to it as the recession that it really is. At a time when data loss incidents are still high on the media agenda, is the recession going to have a negative impact on privacy?
There are daily reports now of unemployment rises, corporate failures, jittery banks and interest rate cuts. Now the reality is beginning to set in, and we are beginning to feel the effects of the recession – rising costs (although that started early in the year), falling sales, redundancies. This is going to have a negative impact on privacy for all of us, whether as providers of privacy/security/identity products and services, or as individuals with personal information being processed by organisations. I believe this will be more than just a gentle erosion, but potentially a major meltdown in respect for processing of personal information over the coming year, and one that will make the likes of HMRC’s loss of child benefit data fade into insignificance through a tidal wave of smaller incidents.
There are a number of factors that will combine to cause this meltdown:
- Organisations are slashing their security and privacy budgets. Within any organisation that has not suffered a high-profile incident, it is very difficult to argue a business case for providing privacy or security, at least anything over and above what is necessary to scrape through compliance requirements. Intangible privacy benefits are never going to gain support in this environment.
- Where budgets are available to deliver on privacy promises, the sign-off for procurement has now gone up through several levels of management, and it will become very tempting to think ‘why bother?’ when it is so hard to obtain the money.
- Culturally, nobody wants to be the bearer of bad news, particularly at a time when executive management are looking to slash headcount. Who’s going to explain to an organisation’s Board that they have to deal with privacy problems when they’re firefighting the overall governance of the business?
- We’ve all become battle-hardened by daily tales of data losses, and are far less likely to be outraged than we were even a few months ago (this is one of the reasons I believe that Data Breach Notification laws are a waste of time). Organisations will respond by lowering the priority of privacy in their risk assessments.
- The pressure is on to maximise asset value, and this will mean milking databases for every possible usage. Personal data will get used, abused, sold and mis-sold in increasingly desperate attempts to generate sales. The problem is compounded by individual staff members who will, fearing redundancy, steal copies of that data for their own protection or use – salespeople around the country will right now be loading their corporate sales lists onto memory sticks in anticipation of a P45 and the potential value that a stolen client list could bring to a potential new employer.
- Finally, it will become politically unacceptable for any regulator to haul an organisation over the coals for failure to manage personal information properly. At a time when businesses are fighting to stay afloat, it’s not going to look good for a regulator that sinks an organisation, even if that punishment was well-deserved.
There is a host of other factors too numerous to explore here – an increasing maturity in the privacy and identity marketplace, loss of interest from the major SI firms now that the massive government procurements have completed, loss of sponsorship for R&D in this area, citizens distracted from the surveillance state agenda thus allowing the government to push through Orwellian legislation for monitoring and interception, to name but a few. But the outcome will be the same regardless: a collapse of privacy caused by a deeply flawed US mortgage lending policy. Just over a year ago I thought we’d seen the ‘privacy Chernobyl’. Now? I think it was just the opening salvo in a much bloodier battle.